Skip to content

Improve pipeline deploy attestation evidence gates#1389

Open
danyili2632 wants to merge 1 commit into
UnitOneAI:mainfrom
danyili2632:improve/pipeline-deploy-attestation-gates
Open

Improve pipeline deploy attestation evidence gates#1389
danyili2632 wants to merge 1 commit into
UnitOneAI:mainfrom
danyili2632:improve/pipeline-deploy-attestation-gates

Conversation

@danyili2632
Copy link
Copy Markdown

@danyili2632 danyili2632 commented Jun 6, 2026

Summary

  • addresses [REVIEW] pipeline-security: add deploy-time attestation verification gates #1372 by adding deploy-time attestation verification gates to pipeline-security
  • expands CICD-SEC-9 beyond build-side provenance generation to require deploy/release verification and enforcement
  • adds evidence gates for subject digest binding, verifier command/policy, issuer/certificate identity, source ref, builder ID, SLSA predicate validation, enforcement mode, exception owner, and multi-arch image handling
  • updates report output with deploy-time verification evidence fields

Validation

  • git diff --check
  • verified required markers for deploy-time attestation verification, digest binding, identity constraints, SLSA predicate validation, enforcement mode, exception governance, multi-arch handling, and output evidence fields
  • verified Markdown fence count is balanced

Bounty

  • Target tier: Improver Moderate ($100) if accepted
  • Preferred payment method: crypto, Base USDC 0x6CBF4b5cb88b8C2B7af776Bc2B073163B5d3C08A

@danyili2632 danyili2632 mentioned this pull request Jun 6, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danyili2632